| Author |
Message
|
| w33f |
 Posted: Thu Jul 03, 2014 8:05 pm Post subject: z/OS issue with RACF/IMS sending response msg |
 |
|
Novice
Joined: 07 Nov 2013
Posts: 17
|
Hi guys
I'll try to keep this short and sweet.. I have an MQ msg coming from a windows qmgr AUMQ001 into a z/OS IMS.OTMA queue on z/OS qmgr MQAA.
When IMS tries to reply to the msg, there's a RACF error coming up in the MQMSTR logs:
| Code: |
130 ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE )
12.44.20 STC01242 ICH408I JOB(MQAAMSTR) STEP(MQAAMSTR) MQAA.AUQM001 CL(MQQUEUE
218 INSUFFICIENT ACCESS AUTHORITY
218 FROM MQAA.AUQM%%% (G)
218 ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE )
|
This is strange as when I view the RACF profile MQAA.AUQM%%% it has the following permissions:
| Code: |
USER ACCESS
---- ------
DRPMQQU ALTER
IMSSTC UPDATE
MQAUTH ALTER
MQAACHIN UPDATE
MQAAMSTR UPDATE
MQSTC UPDATE
CICSTRGN UPDATE
CICSDFLT UPDATE
IMSWRDR UPDATE
IMSTRDR UPDATE
|
I'll note that i've run the 'refresh security(*)' command several times with no luck. So not only does MQAAMSTR have UPDATE access to the queue it's complaining about, but also I'd expect the IMS userid (IMSTRDR) to be the one trying to access this queue profile given it's IMS sending the reply message? |
|
| Back to top |
|
 |
| MQsysprog |
| Posted: Fri Jul 04, 2014 12:57 am Post subject: |
|
|
Centurion
Joined: 24 Feb 2014
Posts: 116
|
I would suggest a verify on the connection setting :
Connection access control
− user ID of the WebSphere MQ queue manager address space must
be granted READ access to the OTMA group profile in the FACILITY
class (unless /sec OTMA NONE):
IMSXCF.xcfgname.mq xcfmname
And also a sec otma command, to see the security level settings of the bridge.
Please let me know how ends ... |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sat Jul 05, 2014 2:05 am Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
Is there more information on the end of the first line of the ich408i? It should contain the userid that racf is failing on.
_________________
Glenn |
|
| Back to top |
|
|
| w33f |
| Posted: Tue Jul 08, 2014 7:46 pm Post subject: |
|
|
Novice
Joined: 07 Nov 2013
Posts: 17
|
Thanks for the replies Glenn and MQSysprog..
Glenn - the only thing on the end of that line is '533', there's no userid there.
Since last week the RACF guy has told me that this is occurring due to IMS passing an 'Undefined' user to RACF when it tries to reply and accesses the MQQUEUE RACF object. He proved this by adding the '*' User with Update access to the profile which returned the same error.
Chatting with the IMS guy now, he tells me they would expect to extract a field in the IMS/IIH header with the UserID, which they then pass to RACF.to do this authentication.
MQsysprog - I know very little about IMS but thanks for that info, I will pose those questions to the IMS guy and see if I have any luck |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Jul 09, 2014 3:35 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| w33f wrote: |
...Since last week the RACF guy has told me that this is occurring due to IMS passing an 'Undefined' user to RACF when it tries to reply and accesses the MQQUEUE RACF object. He proved this by adding the '*' User with Update access to the profile which returned the same error.
Chatting with the IMS guy now, he tells me they would expect to extract a field in the IMS/IIH header with the UserID, which they then pass to RACF.to do this authentication |
If that's a Windows userid it is unlikely that the RACF guy would want to define it in RACF. I know very little about IMS / MQ bridge, its a fairly complex area. Google for "mq ims reply userid" turned up a few likely hits. It coud be security config issue.
_________________
Glenn |
|
| Back to top |
|
|
| w33f |
| Posted: Sun Jul 27, 2014 6:10 pm Post subject: |
|
|
Novice
Joined: 07 Nov 2013
Posts: 17
|
| Fixed this by getting the application guys to add a 'UserIdentifier' parameter in the MQMD, then getting the RACF guy to add this UserIdentifier into the MQAA.AUQM%%% RACF profile. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Jul 28, 2014 3:19 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| w33f wrote: |
| Fixed this by getting the application guys to add a 'UserIdentifier' parameter in the MQMD, then getting the RACF guy to add this UserIdentifier into the MQAA.AUQM%%% RACF profile. |
Be aware that this is a security risk. Assuming the app has ALTUSR authority, the app could set the UserIdentifier in put messages to gain the MQ authority of any userid on the mainframe system. This can be used to penetrate MQ in several devious ways.
_________________
Glenn |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Jul 28, 2014 4:05 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Mainframe forum.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
